A Russian cyber espionage group is targeting hotel Wi-Fi networks to carry out malware infections and potentially steal credentials, researchers warn
Cyber criminals are targeting hotel Wi-Fi networks in the Middle East and throughout Europe, posing a risk to government and business travelers, warn researchers at security firm FireEye.
The campaign is being attributed with “moderate confidence” to Russian cyber espionage group APT28, the researchers wrote in a blog post.
The group, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit and Strontium has been linked to Russian military intelligence agency GRUand several prominent cyber attacks.
These include cyber attacks on the German parliament, French television station TV5Monde, the White House, Nato, the US Democratic National Committee, and the election campaign of French presidential candidate Emmanuel Macron.
The campaign targeting the hospitality sector is believed to back to at least July 2017 and include password sniffing, poisoning the NetBIOS Name Service, and using the EternalBlue exploit, which was a key component of the WannaCry ransomware.
FireEye uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in July 2017.
Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware.
According to the researchers, the attackers are using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers.
Once inside the network of a hospitality company, the attackers sought out machines that controlled both guest and internal Wi-Fi networks.
Although no guest credentials were observed being stolen at the compromised hotels, the researchers said in previous cases APT28 has gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.
Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder, which enables NetBIOS Name Service (NBT-NS) poisoning.
Stealing usernames and hashed passwords
This technique tricks victims’ computers to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network, the researchers said.
To spread through the hospitality company’s network, APT28 used a version of the EternalBlue server message block (SMB) protocol exploit. “This is the first time we have seen APT28 incorporate this exploit into their intrusions,” the researchers said.
They note that cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, which means that business and government who often rely on hotel systems to conduct business should be familiar with threats posed while abroad.
“APT28 isn’t the only group targeting travelers. South Korea-nexus Fallout Team (aka Darkhotel) has used spoofed software updates on infected Wi-Fi networks in Asian hotels, and Duqu 2.0 malware has been found on the networks of European hotels used by participants in the Iranian nuclear negotiations,” the researchers said.
APT28’s tactics continue to grow
This campaign, they said, shows APT28’s already wide-ranging capabilities and tactics are continuing to grow and refine as the group expands its infection vectors.
“Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data,” the researchers advised. “Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible,” they said.
In the wake of the WannaCry and Petya/NotPetya attacks, it is not surprising that notorious cyber gangs are finding new ways to use the NSA’s EternalBlue exploit to support their criminal activities, said Chris Wysopal, co-Founder and chief technology officer at security firm Veracode.
“The EternalBlue exploit has been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems,” he said.
Wysopal said Microsoft has indicated a number of different versions of Windows are vulnerable to the EternalBlue exploit, even those currently receiving support.
“It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it,” he said.
Wysopal believes that cyber criminals are likely to continue using EternalBlue until devices are patched and it is no longer an effective vector for them to spread malware.